Colorado Privacy Act (CPA)

Colorado is officially the third U.S state to adopt privacy legislation, after California and Virginia, respectively. The Colorado General Assembly passed the Colorado Privacy Act (CPA), Senate Bill 21-109, on June 8, 2021. Colorado’s governor, Jared Polis signed the Colorado Privacy Act (“CPA”) into law on July 7th, 2021. It will be effective from July 1, 2023.

CPA applies to Controllers that

• Conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado;
  and
• Satisfies one or both of the following conditions:
  • Controls or processes the personal data of one hundred thousand consumers (100,000) or more during a calendar year or
  • Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of twenty-five thousand consumers (25,000) or more.

“Consumer” [CPA Section 6-1-1303(6)]

• Means an individual who is a Colorado resident acting only in an individual or household context;
  and
• Does not include an individual acting in a commercial or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context.

“Personal Data” [CPA Section 6-1-1303(17)]:

• Means Information that is linked or reasonably linkable to an identified or identifiable individual;
  and
• does not include de-identified data or publicly available information.

“Process” Or “Processing” [CPA Section 6-1-1303(18)]:

“Process” or “Processing” means the collection, use, sale, storage, disclosure, analysis, deletion, or modification of personal data and includes the actions of a controller directing a processor to process personal data.

1. Right to opt-out: (I) A consumer has the right to opt-out of the processing of personal data concerning the consumer for purposes of:
   • Targeted Advertising;
   • The Sale of Personal Data; Or
   • Profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.
2. Right of access: A consumer has the right to confirm whether a Controller is processing personal data and to access such data.
3. Right to correction: A consumer has the right to correct the inaccuracies in the consumer’s personal data.
4. Right to deletion: A consumer has the right to delete personal data.
5. Right to data portability: A consumer has the right to access personal data in a readily usable and portable format. A consumer can exercise this right maximum of 2 times in a calendar year.

Controllers have 45 days to respond to an authenticated consumer request, which can be extended by 45 additional days where it is reasonably necessary to do so.

1. Duty of transparency: A Controller must provide the data subject with a clear and reasonably accessible privacy notice which includes all the required information and declarations.
2. Duty of purpose specification: A Controller must specify the express purpose for the collection and processing of data.
3. Duty of data minimization: A Controller should limit the collection of personal data to what is adequate and relevant for the specified purpose.
4. Duty to avoid secondary use: The Controller shall process personal data only for the purposes that are reasonably necessary or compatible with the specified purposes or obtain the consumer’s consent for further processing.
5. Duty of care: A Controller shall take reasonable measures to secure personal data during both storage and use from an unauthorized acquisition.
6. Duty to avoid unlawful discrimination: A Controller shall not process personal data in violation of State or Federal laws that prohibit unlawful discrimination against consumers.
7. Duty regarding sensitive data: Controller shall obtain the consent of the consumer before processing their sensitive data or for data concerning a known child, the consent of child’s parent or lawful guardian.

Controllers must undertake a data protection assessment for each processing activity involving a heightened risk of harm to consumers, including:

1. Targeted advertising where profiling presents a risk of
   • Unfair or deceptive treatment of, or unlawful or disparate impact on consumers.
   • Financial or physical injury to consumers.
   • An intrusion upon a consumer’s solitude or seclusion, or the private affairs or concerns of the consumer if such an intrusion would be offensive to a reasonable person.
   • Other substantial injury to consumers.
2. Selling personal data.
3. Processing sensitive data.

Controllers must present these data protection assessments to the CO Attorney General upon request.

Consumers do not have a private right of action under this regulation. The Attorney General and District Attorneys have the authority to enforce this act. Businesses have a 60-day period from the date it receives a notice of violation from the attorney general or a district attorney to cure the violation, however, this provision will be automatically repealed on January 1, 2025, after which the cure mechanism disappears. Any organization violating the CPA norms shall be liable to civil penalties of up to $20,000 per violation imposed under Section 6-1-112 of the Colorado Revised Statutes.